Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

The Next Frontier

From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Thu, 28 Jun 2007 16:26:49 -0400
Would Fortify consider making their schema open source and donating it
to OWASP? Likewise, would Ouncelabs, coverity and others be willing to
adapt their product to it?


 

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Paco Hope
Sent: Wednesday, June 27, 2007 4:38 PM
To: Secure Coding
Subject: Re: [SC-L] The Next Frontier

On 6/26/07 5:00 PM, "McGovern, James F (HTSC, IT)"
<James.McGovern at thehartford.com> wrote:

Would there be value in terms of defining an XML schema that all tools
could emit audit information to?

You might want to take a look at what the Fortify guys already do. Their
"FVDL" (Fortify Vulnerability Description Language) is XML written to a
specific schema. Here's a snippet:

<?xml version="1.0" encoding="UTF-8"?>
<FVDL xmlns="xmlns://www.fortifysoftware.com/schema/fvdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; version="1.5"
xsi:type="FVDL"> <CreatedTS
xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" date="2007-06-27"
time="16:27:37"/> <Build
xmlns="xmlns://www.fortifysoftware.com/schema/fvdl">
    <BuildID>curl-7.11.1</BuildID>
    <NumberFiles>42</NumberFiles>
    <LOC>23572</LOC>
 
<SourceBasePath>/Users/paco/Documents/Fortify/curl-7.11.1/lib</SourceBas
ePath>
    <SourceFiles>
        <File size="20098" timestamp="1079527605000">connect.c</File>
        <File size="11584" timestamp="1077710136000">krb4.c</File>
[..snip..]
<Vulnerability xmlns="xmlns://www.fortifysoftware.com/schema/fvdl">
    <ClassInfo>
        <ClassID>28424EC3-FFAC-40C0-94D9-3D8283B2F57C</ClassID>
        <Kingdom>Input Validation and Representation</Kingdom>
        <Type>Buffer Overflow</Type>
        <AnalyzerName>dataflow</AnalyzerName>
        <DefaultSeverity>4.0</DefaultSeverity>
    </ClassInfo>
    <InstanceInfo>
        <InstanceID>005542ED81D54F3C72BF3669EA8D130A</InstanceID>
        <InstanceSeverity>4.0</InstanceSeverity>
        <Confidence>3.4</Confidence>
    </InstanceInfo>
[..snip..]

Some of their XML seems quite reusable to me, and some of it seems
pretty proprietary. It doesn't seem like they share a DTD or a schema
publicly. Perhaps a little coaxing would get them to release it.

Paco
--
Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
_______________________________________________


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: